Analysis

  • max time kernel
    43s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    20-02-2024 22:01

General

  • Target

    71868b31f3cb49a783be2eb3be290b70d8286c5cd034735dcc4f637572b2953b.apk

  • Size

    541KB

  • MD5

    0b54a64042ef068cc7f6a19c6503dd2a

  • SHA1

    09e4b933d1c4efebfac8d1c38d0154d7b3cfa68b

  • SHA256

    71868b31f3cb49a783be2eb3be290b70d8286c5cd034735dcc4f637572b2953b

  • SHA512

    7ca809587c5a374a42874fefe993cc751af810e986d26949755e833d2eef56d22afbf2a3b74f3dbae23b030e2624a570fb93664624284507cd15322f9b12b7d2

  • SSDEEP

    12288:c2tUqW/gTvpAwpsmvH3Tm6/OPMMXLhJ1L5tQn5:c2VW/gTpAwd/2MWLhrL5tQn5

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.specialeach6
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4203

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.specialeach6/cache/eeimufp

    Filesize

    450KB

    MD5

    0e8512d777f7b9ff6a610e034d98b0e1

    SHA1

    32e8ceee191849ad0616138b8c4fb88ffed39cf0

    SHA256

    aa5c01b615aea0b775ab4745eef97b2bbe38c58bea0019e90cea9abdd4680681

    SHA512

    395f9bf167caceb4a7a632851a94fcce5cc932e4fede3b00b17a152831eac0ca687ab80b40b73f86019b9a0f01df934271b75473a56bd160d51fafaa28ce1c02

  • /data/data/com.specialeach6/kl.txt

    Filesize

    230B

    MD5

    86d8d8309971c13437fe636813878c94

    SHA1

    7da0858a3df72649c4807c9223a91e00ea208455

    SHA256

    8168d8183b909bac6e4c0370d0aac38a34502b7aeed74ccce5adc05d28231a85

    SHA512

    00e7b0c18e2e13d98ea18afe5ad1b4a8cd6a53394de70109c2d67bc816132e7e2e581238c114f927f040a1c75306d13f4fc7fe15c4a9b01d906284cda3079635

  • /data/data/com.specialeach6/kl.txt

    Filesize

    79B

    MD5

    f2fa45be35e6d04a4a2e9a0c1b7583bd

    SHA1

    3530006b6c13d3510b1cdc0a39988daca8e2d839

    SHA256

    da41308f68922ae42fc26d743c096e4ae8bc006598337cccccb4c386877e858f

    SHA512

    fa4f4cfd893db09af951f233235ba886d0051f932c09a3ffed88d904584cde5b12c104baa47dcd2c4347627fc60991a5f171e57198cf9a889053b9f400cfdeb3

  • /data/data/com.specialeach6/kl.txt

    Filesize

    63B

    MD5

    4e1873dbf582873b6251ecd856eb7901

    SHA1

    95f6e145fcb5b6bcde3d5cfe00e534518465aea9

    SHA256

    8c7b468637de393bbd4af3b85fd61ea6701deab93a8f07ee98cc1647a3aeaef0

    SHA512

    77f65001c62528e45a5fd3ca25d81c49812bf42cc3209100920406c0f299714035320d33b34084fe1a9306313815ea828f6d63efd258d369bd926715b2c1662b

  • /data/data/com.specialeach6/kl.txt

    Filesize

    45B

    MD5

    5fc75b1fbcbcd0b55c846463a4b93d48

    SHA1

    e70d602d781c2a6b1450a593d4dfcb9abb14aeb7

    SHA256

    9807a8e7ed72e6241b97dd117884c439030a0c583475ad0a16396c261e8b5d81

    SHA512

    f5a1e3dbaf3f3f15b626d123215d878dc5faf68258a77f9a7a459c66bdfd13bd3e6297eb90a3421a204960504ed1d0b91e58fdf990c125ba4c0f0e761e0eef64

  • /data/data/com.specialeach6/kl.txt

    Filesize

    144B

    MD5

    11ebc1137e02f8151cc71276386d698c

    SHA1

    b86e2ab017b77262c195118c9ad4383f25deaf6c

    SHA256

    42c90346becfe28daf2a05bfd3ba61a30aac21302f69b6e758299964a3dce222

    SHA512

    144917b33e1240251fe9b30af34b49e75e8b7ed3bc17b34608c8d4b11b9c4802bd3be336f46bd4694eed7fd5c43c51b70f8e3881558638f4d452719e4b9b0b66